v8.5.0

New Features

• It is now possible to force HAProxy to require SNI from a client
  to match one of HAProxies defined certificates. If enabled, and the
  client does not requets a corresponding host via SNI, the request will
  be rejected, rather than being served HAProxy's default certificate.
  To enable, set the ha_proxy.strict_sni property to true.

Acknowledgements

Thanks @b1tamara for the new feature!

Deployment

releases:
- name: haproxy
  version: 8.5.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.5.0/haproxy-8.5.0.tgz
  sha1: 002957451c1328bb6e199fef10be379ed3a5f65e

v8.4.2

New Features

• Added the ability for HAProxy to do mutual TLS authentication with its HTTP backend servers
  Thanks @datianshi!

Other

• Improved documentation regarding the many timeouts HAProxy supports
• Migrated the ttar utility to a submodule in src, from a blob, for greater
  transparency

Deployment

releases:
- name: haproxy
  version: 8.4.2
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.4.2/haproxy-8.4.2.tgz
  sha1: dc543f84d361eeb41a8ecbd56f481bcbcd4eacc7

v8.4.1

Bug Fixes

• Resolved an issue where certs specified using the new cert_chain
  and private_key would result in an invalid cert file, if a newline
  wasn't provided in the cert_chain value. Leading + trailing whitespace
  are now removed, and the newline is added for you.
• When using links for the TCP backend, the health_check_http property is now consumed, to
  set up an HTTP health check for the backend. If not there, it will fail
  to the default ha_proxy.tcp_link_health_check_http value (or if that
  isn't present, no health check is enabled)

Acknowledgements

Thanks @ryanmoran and @philippthun for the fixes!

Deployment

releases:
- name: haproxy
  version: 8.4.1
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.4.1/haproxy-8.4.1.tgz
  sha1: 3b860b9a12ac94ea9e9f9f6ad7ec7b58becd0e7a

v8.4.0

New Features

• ssl_pem now has additional support for supplying custom cert chains associated with each certificate.
  It can still be specified as a single block of text, and array of private keys. The newly supported format
  looks something like this:

  ssl_pem:
  - private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      key here
      -----END RSA PRIVATE KEY-----
    cert_chain: |
      -----BEGIN CERTIFICATE-----
      cert here
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      cert here
      -----END CERTIFICATE-----
  

Acknowledgements

Thanks @Nino-K and @flawedmatrix for the new feature!

Deployment

releases:
- name: haproxy
  version: 8.4.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.4.0/haproxy-8.4.0.tgz
  sha1: a3a911f0cf8e672b27c6cb16318fd8c7c77f5bde

haproxy BOSH Release v8.3.0

Improvements

• The default values for ha_proxy.keepalive_timeout and ha_proxy.request_timeout have been reduced to 0.2 seconds, and 5 seconds, respectively

• There is now the ability to configure a backend port separate from the frontend port for the TCP backend
  configured via the tcp_backend link. If the backend_port property is exposed in the link, it is used.
  If not, the ha_proxy.tcp_link_port will be used. If that is not set, the port link property will be used.

• The HTTP Host header is now logged by HAProxy on http/https backends.

• HAProxy can now be configured to run across multiple cores, for improved performance when handling SSL
  termination, via the ha_proxy.threads property. If enabled, this will create additional
  HAProxy stats sockets (as well as http-based listeners, if ha_proxy.stats_bind is also enabled) - one
  for each new HAProxy process. If you are monitoring HAProxy performance using those endpoints, make sure
  that you grab statistics from each monitoring socket, as each one is tied to a single HAProxy process.

• Generic blacklist + whitelist support has been added for HAProxy for http and https listeners. If specified,
  HAProxy will ensure requests come from an IP that is either whitelisted, or not blacklisted. See the
  ha_proxy.cidr_blacklist, ha_proxy.cidr_whitelist, and ha_proxy.block_all properties.

  These options are separate from the ha_proxy.internal_only_domains and ha_proxy.trusted_domain_cidrs.
  The latter add ACLs to specific domains, whereas these new settings apply across all traffic.

• The load balancing algorithm for TCP backends can be defined by adding the balance property to the backend
  definition. Defaults to roundrobin, and must be one of HAProxy's supported load balancing algorithms.

• The HAProxy tune.bufsize is now configurable via the ha_proxy.buffer_size_bytes property, should HAProxy
  need to be able to handle requests with large cookies/query strings that exceed the default 16384 bytes

• The ha_proxy.enable_health_check_http property can be specified to enable a health-check on the
  http/https backend servers. If set to true, this will cause HAProxy to listen on :8080 on the
  HAProxy server's IP. Setting the health_check_http property on TCP backend definitions to a port number
  will similarly enable an http-based health check endpoint on the specified port.

Acknowledgments

Many thanks to Juergen Graf, Soha Alboghdady, and Felix Reyn for all their contributions to this release!

haproxy BOSH Release v8.2.0

Improvements

Users are now able to specify which IP haproxy should bind to, using the ha_proxy.binding_ip
property. If not specified, haproxy will bind on all available interfaces.

Acknowledgements

Many thanks to @datianshi for this feature!

haproxy BOSH Release v8.1.2

Improvements

• Operators can now optionally disable TLS v1.0 or TLS v1.1, via
  the ha_proxy.disable_tls_10 and haproxy.disable_tls_11 properties.
  Default behavior is unchanged, and TLS v1.0/v1.1/v1.2 are enabled
  by default.

haproxy BOSH Release v8.1.1

Link Support

• The haproxy job now supports consuming links for backends.
  You can provide it the http_backend link, to control the default
  http/https backend. You can also give it an additional tcp_backend
  link to add in a tcp-backend that uses links. If your link doesn't
  support providing the port property, the job fails back to ha_proxy.tcp_link_port
  and ha_proxy.backend_port, depending on which link is in play.

Acknowledgements

Many thanks to @rkoster for bringing link support to haproxy-boshrelease!

haproxy BOSH Release v8.1.0

Improvements

• Removed RC4 ciphers from the default cipher suite

• Added HSTS support via the ha_proxy.enable_hsts,
  ha_proxy.hsts_include_subdomains, ha_proxy.hsts_preload,
  and ha_proxy.hsts_max_age properties. HSTS is off by default.

• Added support for disabling TLS tickets to improve Forward
  Secrecy, via ha_proxy.disable_tls_tickets. TLS tickets are
  disabled by default

• Updated haproxy to v1.6.12 (from 1.6.10)

• Updated pcre to v8.40 (from 8.36)

• Updated socat to v1.7.3.2 (from 1.7.3.1)

Acknowledgements

• Many thanks to @lcacciagioni for his work on these SSL
  improvements!

haproxy BOSH Release v8.0.12

New Features

• Added new keepalived job for HA-ification of haproxy (only on infrastructures
  supporting VRRP). See the keepalived docs
  for details on how it works and how to use it.

Acknowledgements

Many thanks to @axelfauvel, @gberche-orange for their work on implementing and testing
this feature!